Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 02:32
    sify21 edited #311
  • 02:32
    sify21 edited #311
  • Jan 18 03:06
    sify21 edited #311
  • Jan 18 03:04
    sify21 edited #311
  • Jan 18 03:00
    sify21 opened #311
  • Jan 18 01:52
    sify21 commented #307
  • Jan 17 13:18
    sschuberth commented #284
  • Jan 17 12:39
    sbs2001 reopened #284
  • Jan 17 12:39
    sbs2001 commented #284
  • Jan 17 12:29

    sbs2001 on main

    Update docstring in github impo… (compare)

  • Jan 17 12:18
    sbs2001 commented #307
  • Jan 17 12:16

    sbs2001 on main

    Add endpoints for bulk requesti… Add comment for clarity Signed… Reduce the time complexity of b… and 5 more (compare)

  • Jan 17 12:16
    sbs2001 closed #303
  • Jan 17 12:16
    sbs2001 closed #284
  • Jan 17 12:15
    sbs2001 commented #284
  • Jan 17 12:13
    sbs2001 edited #303
  • Jan 17 12:12
    sbs2001 synchronize #303
  • Jan 17 12:08
    sbs2001 commented #303
  • Jan 17 12:08
    sbs2001 commented #303
  • Jan 17 07:42

    sbs2001 on main

    Use drf-spectacular instead of … Merge pull request #310 from sb… (compare)

Philippe Ombredanne
@pombredanne
(the comment about separating format was for the future )
Shivam Sandbhor
@sbs2001
we need to store vectors :) https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/images/security_risk/cvss_scoring.jpg
Shivam Sandbhor
@sbs2001
@pombredanne I've made the suggested changes in nexB/vulnerablecode#290 , please review again
Shivam Sandbhor
@sbs2001
@pombredanne is the license for https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/tree/master problematic ?
13 replies
They have good data. Many package types like Conan, packagist, go are covered
and ofcourse maven
Shivam Sandbhor
@sbs2001
We can use these https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/SOURCES.md if the licensing is issue
Philippe Ombredanne
@pombredanne
indeed ... and we should explain in a ticket that we should really adopt the same strategy if needed ... a manual approach
Using these just as a source of inspiration for manual creation of new data
Shivam Sandbhor
@sbs2001
btw did we pass the nlnet tests ?
Philippe Ombredanne
@pombredanne
not yet :)
they have not yet started
Shivam Sandbhor
@sbs2001
@pombredanne could you review nexB/vulnerablecode#278 nexB/vulnerablecode#281 nexB/vulnerablecode#291 nexB/vulnerablecode#292
Philippe Ombredanne
@pombredanne
@sbs2001 in this order?
Shivam Sandbhor
@sbs2001
yes
Philippe Ombredanne
@pombredanne
nexB/vulnerablecode#278 done :)
Shivam Sandbhor
@sbs2001
@pombredanne I don't understand https://github.com/nexB/vulnerablecode/pull/278#discussion_r535120377 could you jot down the function prototype real quick
IMHO def _load_advisories(**kw) is even worse, but you probably didn't mean that :)
Shivam Sandbhor
@sbs2001
I've made the suggested changes at nexB/vulnerablecode#278 .
Btw for code reviews do suggest alternative names there itself, I'm terrible with figuring out good names myself ;)
Philippe Ombredanne
@pombredanne
ah ok :)
@sbs2001
https://www.karlton.org/2017/12/naming-things-hard/
https://skeptics.stackexchange.com/questions/19836/has-phil-karlton-ever-said-there-are-only-two-hard-things-in-computer-science
https://martinfowler.com/bliki/TwoHardThings.html
3 replies
Shivam Sandbhor
@sbs2001
https://crowdsec.net/ interesting
Philippe Ombredanne
@pombredanne

@sbs2001 crowdsec is interesting indeed. But the data they amass becomes proprietary unfortunately.

https://crowdsec.net/faq/ Data Ownership

Those curated data are CrowdSec property and a usage right is given to users receiving an IP list. It can be even used outside of the context of CrowdSec. If you use CrowdSec and share the IP blocked with us, nothing prevents you from using the ban list you receive on your SIEM or other security tools.

2 replies
Shivam Sandbhor
@sbs2001
FYI I've made the changes at nexB/vulnerablecode#278 and left comments for your consideration
Philippe Ombredanne
@pombredanne
@sbs2001 Thanks... on my todo this morning :P
2 replies
Tushar Upadhyay
@tushar912
@pombredanne @sbs2001 Please review nexB/vulnerablecode#294
1 reply
Shivam Sandbhor
@sbs2001
ossf/wg-vulnerability-disclosures#75 !!!
Shivam Sandbhor
@sbs2001
@pombredanne I want to switch to either azure or GH action ASAP . https://news.ycombinator.com/item?id=25338983
Philippe Ombredanne
@pombredanne

@sbs2001 re:

ossf/wg-vulnerability-disclosures#75

that's great :) one more data source

Philippe Ombredanne
@pombredanne

I want to switch to either azure or GH action ASAP . https://news.ycombinator.com/item?id=25338983

sure thing. Let's do it. :)

Shivam Sandbhor
@sbs2001
Let's use GH action then :)
Philippe Ombredanne
@pombredanne
fine by me. :+1:
Shivam Sandbhor
@sbs2001
@pombredanne more doc improvements nexB/vulnerablecode#298
Shivam Sandbhor
@sbs2001
@pombredanne I still don't have write access
Philippe Ombredanne
@pombredanne
@sbs2001 what do you mean wrt. not having write access?
Shivam Sandbhor
@sbs2001
@pombredanne re: write access
It's fixed now :)
Shivam Sandbhor
@sbs2001
@pombredanne I need your input on https://github.com/nexB/vulnerablecode/pull/291#issuecomment-747233940
Shivam Sandbhor
@sbs2001
and at https://github.com/nexB/vulnerablecode/pull/285#issuecomment-747237905
Shivam Sandbhor
@sbs2001
@pombredanne I thought about https://github.com/nexB/vulnerablecode/pull/290#discussion_r540875185 , and I think storing the ScoringSystems in the db would be a better approach
Philippe Ombredanne
@pombredanne
@sbs2001 checking all these :)
Philippe Ombredanne
@pombredanne
done
Shivam Sandbhor
@sbs2001
@pombredanne about the ScoringSystems since it is supposed to be for humans, how about we instead have a rst file with the description of each ScoringSystem . We don't need it at db anyways
Shivam Sandbhor
@sbs2001
@tdruez could you please review nexB/vulnerablecode#303 ? Can we have something simpler than a Q object there ?
Philippe Ombredanne
@pombredanne

about the ScoringSystems since it is supposed to be for humans, how about we instead have a rst file with the description of each ScoringSystem . We don't need it at db anyways

Which is why a small object would be enough IMHO (if we can avoid having the doc separate from the code, that's best and we can generate the doc from code)

Shivam Sandbhor
@sbs2001
Sure :) and I am using ScoringSystem objects now, there are other reasons going for it too, documenting the severity types is enforced when having something in code, while in the rst way it's possible to add ad-hoc severity types without documenting them
Shivam Sandbhor
@sbs2001
@pombredanne please review nexB/vulnerablecode#290 , that PR collects severities from NVD and redhat, I'll file another PR to collect more severities.
Shivam Sandbhor
@sbs2001

@pombredanne we need to figure out endpoints for nexB/vulnerablecode#284

Would there be any problem if we assign those api/vulnerabilities api/packages and move the current list api (which lives at api/vulnerabilities api/packages ) to api/vulnerabilities/search api/packages/search

Shivam Sandbhor
@sbs2001
@pombredanne reviews are pending :)
Philippe Ombredanne
@pombredanne
@sbs2001 ok, let's have a review session together tomorrow CET morning
Shivam Sandbhor
@sbs2001

from https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf

CVE is not a vulnerability database, instead CVE allows vulnerability databases to be linked together under commonly used IDs